Description:

SiteMinder wrongly sets the user's account to admin disabled in AD user store (with Enhanced AD Integration on) rather than setting the account status to locked-out due to maximum allowed login attempts when -

• The user exceeds maximum allowed login attempts by siteminder password policy.
  
  
• The number of unsuccessful attempts allowed by the siteminder password policy is smaller than the unsuccessful attempts allowed in AD.

The expected behavior is that the account gets locked and not admin disabled, because if accounts get set to admin disabled on max login failures, there is no way to identify if a user was disabled by HR for administrative purposes, or if the user was simply locked out from retrying a password too many times.

Solution:

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

Beginning with siteminder Policy server 6.0-SP5-CR35 onwards, A new registry key 'ADLockoutMode' is added which when set to 1; the behavior will change to locking the user instead of disabling it in AD when max number of tries exceeded.